The Banking View | Why credit fraud often remains below the spotlight

Vilém Dědek, mBank:  As regulatory pressure increases, improved data sharing across banks, telecom providers, and digital platforms may represent the biggest opportunity to reduce fraud risk.

Vilém, could you please introduce yourself and share more details about your professional background and your role at mBank?

Sure. I'm a Senior Credit Fraud Analyst at mBank, covering the Czech and Slovak markets. My background is a bit of a mix. I started in telco fraud at Vodafone, moved into consulting at PwC, where I worked on fraud compliance and fraud technology projects, and eventually landed in banking. The way I see it, fraud doesn't respect sector boundaries, so that cross-sector experience gives me a different lens. Not just on fraud in general, but on specific patterns and typologies too.

That said, these days my main focus is on leveraging data to build smarter detection strategies, support risk decisions and improve how our teams collaborate across functions.

What is top of mind for you this year regarding fraud, financial crime, and compliance? Which trends or shifts concern you most?

A few things. You probably hear this all the time, but AI-enabled fraud genuinely deserves the attention it's getting. Deepfakes, voice cloning, synthetic identities. And on top of that, tools like FraudGPT, WormGPT, or DarkBERT, combined with active knowledge sharing between fraudster communities, mean the threat is evolving faster than most institutions can respond. But honestly, what concerns me equally is the internal side: data fragmentation. Banks, telcos, platforms. Everyone is collecting data, but in isolation. Nobody sees the full picture, and that's exactly the gap fraudsters exploit. The regulatory shift with PSR and PSD3 is forcing that conversation, which is good. But the operational path is long, and the institutions that start building that infrastructure now will have a clear advantage.

Which types of fraud or financial crime do you believe are currently underreported or underestimated in the market?

Look, I know this is going to sound like I'm biased here, but credit fraud is genuinely underestimated. APP scams, ATO frauds, and most phishing-based scams get all the attention right now because regulators and the media have put them front and centre, which makes sense. It's a serious problem. But credit fraud is quietly growing in the background. What many people don't realise is that a significant portion of it is actually prevented before disbursement. The fraud is stopped before any money leaves. That could make it invisible in the stats, and invisible problems don't get that much attention.

Part of the challenge is also that credit fraud sits in a grey zone between fraud and credit risk, and organisations don't always agree on where the line is. If a case gets classified as a bad debt write-off, it never makes it into fraud reporting. That distorts the picture for everyone trying to understand the real scale of the problem.

What are the key implications of the PSR and PSD3 frameworks for banks? What is the biggest uncertainty institutions are still trying to resolve?

The way I see it, the biggest shift is around liability. PSR moves the goalposts significantly compared to PSD2. Banks will be responsible for a much broader range of fraud scenarios, which is a fundamentally different level of accountability. But what I find equally interesting is the push towards cross-industry data sharing. PSR and PSD3 are bringing telcos and online platforms into the conversation, which has never really happened at this scale before. The biggest uncertainty right now though is that the detailed requirements are still being worked out. Banks are expected to prepare, but nobody has the full picture yet. That means institutions are essentially building compliance programs against a moving target, and that's a real challenge, especially for smaller players.
PSR enables shared fraud intelligence across PSPs and even non-traditional players. How can banks plan to invest in technology and strategy to intercept these signals before fraud escalates? 
From where I sit, the answer is simpler than it might seem. It starts with breaking down internal silos before even thinking about external signals. Real-time monitoring sounds great on paper, but if your internal data isn't connected and clean, adding more external streams just creates more noise. 

What matters most is getting the foundations right first. Solid data infrastructure, clear ownership of signals, and teams that actually talk to each other. The technology investment makes sense only when you know what you're trying to do with it.

With the inclusion of non-bank entities such as social media platforms and telecom providers in fraud reporting, what challenges do you foresee in integrating these data streams into risk models?

I've worked in telco fraud before, so I can say this from experience. The data is there, but it's not clean and it's not standardised. And before we even talk about integrating it into risk models, I think the honest first step is figuring out what each player can actually share, in what format, and under what conditions. That conversation hasn't really happened at scale yet. 
Telcos have their own fraud problems and their own priorities. Platforms have legal teams that will push back on anything that looks like liability. Once we have a clearer picture of what's available and what's realistic, then integration makes sense. But jumping straight to risk model implementation without that foundation is getting ahead of ourselves. The signal quality problem is as hard as the regulatory one.

What barriers could slow down broader collaboration between banks, telecom providers, and digital platforms?

Three things, honestly. From the banking side, I think the will is there. Banks are aligned with the goal of protecting customers. But I can't fully speak for telco or digital platforms. They operate under different conditions, different business priorities, different definitions of what's shareable. Getting everyone on the same page operationally is just harder than it sounds. Technical overhead, governance frameworks, liability questions. Then there's GDPR complexity. Every data share runs into a different interpretation of what's allowed, and that's only going to get more complex as data protection becomes a bigger regulatory priority. And third, organisational culture. Fraud teams in banks often don't have established relationships with their equivalents in telco or digital platforms. Different industries, different vocabularies, different incentive structures. You're not just connecting systems. You're connecting communities that have never had to work together before.

In cases of social engineering scams, what types of cross-sector data would make the biggest difference?

Call metadata from telcos is one of the most underutilised signals out there. Scam Signal, already live in the UK, is a good example of what's possible. It correlates real-time telephony data with payment activity. If a customer receives a suspicious call and makes a large transfer shortly after, that's a detectable pattern. It works. The EU just isn't fully there yet, and I think it will be. And honestly, I think it's only the beginning. Once banks and telcos actually start talking, structurally and not just at conferences, other signals will surface too. Behavioural data from digital platforms, account activity patterns, things neither side can see alone. The combination of communication-layer and transaction-layer signals is where the real opportunity sits. But you only find that out by starting the conversation.

Could mandatory data sharing push fraudsters toward more fragmented or cross-border schemes that exploit gaps between jurisdictions?

Almost certainly yes. Fraudsters adapt faster than regulation. Sometimes you have to ask what's quicker, a fraudster or the speed of light? If you close one corridor, they find another. It's that simple. 
Mandatory sharing within the EU is a step forward, but it creates a new pressure point at the EU's external borders. Cross-border schemes targeting jurisdictions with weaker frameworks will increase. And once you solve data sharing on a national level, the next challenge is cross-border within the EU. And then what? The regions attached to Europe's edges have frameworks that vary significantly from West to East. 
The EU's borders aren't the end of the problem. They might just be the beginning of the next one.

Are there existing examples globally where banks already share fraud intelligence in a structured way that could be followed in Europe?

Definitely, there are a few I've read about. I believe CIFAS in the UK could be the most cited reference point for Europe. A shared fraud database that banks contribute to and query. It works, and it's been running for decades, and notably, I have not heard about the equivalent in the EU. But if you look beyond Europe, the models get more interesting. Singapore and Australia are often referenced as examples of a whole-of-ecosystem approach. Not just banks sharing with banks, but law enforcement, telcos and platforms all brought into the same framework. What stands out about both is that they didn't stop at the financial sector. They pulled in every party that touches the fraud chain. That's the mindset shift Europe needs. The concept is proven elsewhere. Replicating it across 27 member states, different languages and different regulatory interpretations, is a much harder problem.

Once PSR and PSD3 become fully effective, what do you expect to come next?

Regulation will keep evolving, that's a given. But what I think gets underestimated is the implementation gap. The distance between what frameworks require on paper and what smaller markets can actually deliver operationally. That gap is where fraudsters will keep finding room. And as I mentioned earlier in this interview, the next real pressure point won't be inside the EU. It'll be at its external borders. There are fraud typologies that haven't reached the EU yet but are already gaining traction elsewhere. Cross-border collaboration is how we get ahead of that. Not just reacting to what's here but preparing for what's coming. Let's see where PSD3 and PSR actually take us, and how much better we'll get at tackling fraud along the way.

About Vilém Dědek

Vilém Dědek is a Senior Credit Fraud Analyst at mBank S.A., where he covers the CZ and SK markets. His 6 years of fraud detection experience span telco, consulting, and banking, giving him a view of fraud as a multisectoral problem and the ability to spot patterns others might miss. These days, his focus is on using data to build smarter detection strategies, support risk decisions and unlock cross-team collaboration, always looking for new data sources that can push fraud detection further.

 

 

About mBank

mBank is a dynamic digital bank operating in the Czech and Slovak markets since 2007. It was the first low-cost bank of a new generation in the Czech Republic and today serves nearly 790,000 clients. With its intuitive mobile app, customers can manage their finances anytime and anywhere with ease. mBank’s parent company is the Polish mBank, part of the German Commerzbank Group. In 2025, mBank earned top positions in the Finparáda.cz – Financial Product of the Year 2024 awards and received prestigious recognition in the Mastercard Awards for innovative wearable payments. It also won the VISA Awards #1 Business Proposition for its comprehensive solutions for small entrepreneurs.